Firewall blocking FTP server on Windows 2008 R2

I can access the FTP site without problems from the local machine, but it times out from the remote machine.

If I turn the firewall off COMPLETELY, it works. Obviously, this isn't really a satisfactory solution.

I've attempted to follow these steps, but to now avail.

On my remote machine I am using Filezilla as the FTP client. Below is the output it gives me as I attempt to access the site. As you can see, it manages to connect and authenticate, but the attempt to list the directory times out.

Can somebody tell me where I should look next?

Status: Connecting to 192.168.15.12:21...
Status: Connection established, waiting for welcome message...
Response:   220 Microsoft FTP Service
Command:    USER CMSDEVELOPMENT\CMSdev
Response:   331 Password required for CMSDEVELOPMENT\CMSdev.
Command:    PASS ******
Response:   230-Directory has 71,805,415,424 bytes of disk space available.
Response:   230 User logged in.
Command:    OPTS UTF8 ON
Response:   200 OPTS UTF8 command successful - UTF8 encoding now ON.
Status: Connected
Status: Retrieving directory listing...
Command:    PWD
Response:   257 "/" is current directory.
Command:    TYPE I
Response:   200 Type set to I.
Command:    PASV
Response:   227 Entering Passive Mode (192,168,15,12,192,160).
Command:    LIST
Response:   150 Opening BINARY mode data connection.
Error:  Connection timed out
Error:  Failed to retrieve directory listing

Looking at the firewall logs, I see these entries:

2012-04-23 14:44:54 DROP TCP 192.168.15.90 192.168.15.12 55743 49342 52 S 650301735 0 65535 - - - RECEIVE
2012-04-23 14:44:57 DROP TCP 192.168.15.90 192.168.15.12 55743 49342 52 S 650301735 0 65535 - - - RECEIVE
2012-04-23 14:45:03 DROP TCP 192.168.15.90 192.168.15.12 55743 49342 48 S 650301735 0 65535 - - - RECEIVE

Solution 1:

I finally got it to work, but there's some things I've learnt:

  • IIS will let you configure the ports that the FTP server will use for passive mode. But, for me, this did NOT take affect until I restarted the service named "Microsoft FTP Service"

  • When I looked at the inbound firewall rules, I saw three preconfigured rules:

    • FTP Server (FTP Traffic-In)
    • FTP Server Passive (FTP Passive Traffic-in)
    • FTP Server Secure (FTP SSL Traffic In)

These rules looked like just what I needed. But for some reason, they didn't actually do anything. When I created my OWN rules specifying exactly the same things, it worked. (Apparently, I'm not the first to encounter this problem, see this posting.)


Later Edit: Reading the comments below, it appears I was mistaken about these rules not working. You just need to enable them and restart the Microsoft FTP Service

Solution 2:

I have the same problem on a fresh install of Server 2012, but had to restart the Windows FireWall service to get it to work.

Solution 3:

You might want to try to disable Disable stateful FTP filtering:

netsh advfirewall set global StatefulFTP disable

and make sure to restart FTP service afterwards

(see also: http://blog.nenoloje.com/2013/01/ftp-service-for-iis-client-connection.html)